[pkgsrc/trunk]: pkgsrc/graphics/librsvg Fix for CVE-2013-1881 (SA55088)

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/graphics/librsvg Fix for CVE-2013-1881 (SA55088)
From: tez <tez%pkgsrc.org@localhost>
Date: Thu, 14 Oct 2021 14:46:08 +0000

details:   https://anonhg.NetBSD.org/pkgsrc/rev/a74f0789c56f
branches:  trunk
changeset: 624929:a74f0789c56f
user:      tez <tez%pkgsrc.org@localhost>
date:      Thu Oct 03 13:39:12 2013 +0000

description:
Fix for CVE-2013-1881 (SA55088)
Modified (for portability) from https://git.gnome.org/browse/librsvg/patch/?id=f01aded72c38f0e18bc7ff67dee800e380251c8e

diffstat:

 graphics/librsvg/Makefile                    |    4 +-
 graphics/librsvg/distinfo                    |    3 +-
 graphics/librsvg/patches/patch-CVE-2013-1881 |  166 +++++++++++++++++++++++++++
 3 files changed, 170 insertions(+), 3 deletions(-)

diffs (196 lines):

diff -r 61a8f5090944 -r a74f0789c56f graphics/librsvg/Makefile
--- a/graphics/librsvg/Makefile Thu Oct 03 13:18:25 2013 +0000
+++ b/graphics/librsvg/Makefile Thu Oct 03 13:39:12 2013 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.73 2013/10/01 05:16:47 obache Exp $
+# $NetBSD: Makefile,v 1.74 2013/10/03 13:39:12 tez Exp $
 
 DISTNAME=      librsvg-2.36.4
-PKGREVISION=   5
+PKGREVISION=   6
 CATEGORIES=    graphics gnome
 MASTER_SITES=  ${MASTER_SITE_GNOME:=sources/librsvg/2.36/}
 EXTRACT_SUFX=  .tar.xz
diff -r 61a8f5090944 -r a74f0789c56f graphics/librsvg/distinfo
--- a/graphics/librsvg/distinfo Thu Oct 03 13:18:25 2013 +0000
+++ b/graphics/librsvg/distinfo Thu Oct 03 13:39:12 2013 +0000
@@ -1,7 +1,8 @@
-$NetBSD: distinfo,v 1.25 2012/10/19 18:33:07 drochner Exp $
+$NetBSD: distinfo,v 1.26 2013/10/03 13:39:12 tez Exp $
 
 SHA1 (librsvg-2.36.4.tar.xz) = 1e0152e6745bac9632207252c67dda2299010db4
 RMD160 (librsvg-2.36.4.tar.xz) = b9765edaccd7e40997a3a141e4d21c5a13f6f2a1
 Size (librsvg-2.36.4.tar.xz) = 513028 bytes
+SHA1 (patch-CVE-2013-1881) = 73e1d17960ce3e6da0bfd37ab5e4cd59326545ef
 SHA1 (patch-ab) = 44985e1c02f925769f394007f924b8d6ec8151d5
 SHA1 (patch-rsvg-io.c) = 1bcb7164dda065eb2e231818dd9c5df8b98e49a5
diff -r 61a8f5090944 -r a74f0789c56f graphics/librsvg/patches/patch-CVE-2013-1881
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/librsvg/patches/patch-CVE-2013-1881      Thu Oct 03 13:39:12 2013 +0000
@@ -0,0 +1,166 @@
+$NetBSD: patch-CVE-2013-1881,v 1.1 2013/10/03 13:39:12 tez Exp $
+
+from https://git.gnome.org/browse/librsvg/patch/?id=f01aded72c38f0e18bc7ff67dee800e380251c8e
+
+From f01aded72c38f0e18bc7ff67dee800e380251c8e Mon Sep 17 00:00:00 2001
+From: Christian Persch <chpe%gnome.org@localhost>
+Date: Mon, 11 Feb 2013 21:36:58 +0000
+Subject: io: Implement strict load policy
+
+Allow any file to load from data:, and any resource to load from other
+resources. Only allow file: to load other file: URIs from below the path
+of the base file. Any other loads are denied.
+
+Bug #691708.
+---
+diff --git a/rsvg-base.c b/rsvg-base.c
+index 1f88479..9d7c1ea 100644
+--- rsvg-base.c.orig   2013-10-03 07:33:50.579625000 -0500
++++ rsvg-base.c        2013-10-03 07:35:26.518496200 -0500
+@@ -25,6 +25,7 @@
+ */
+ 
+ #include "config.h"
++#define _GNU_SOURCE 1
+ 
+ #include "rsvg.h"
+ #include "rsvg-private.h"
+@@ -1001,6 +1002,7 @@
+ rsvg_handle_set_base_uri (RsvgHandle * handle, const char *base_uri)
+ {
+     gchar *uri;
++    GFile *file;
+ 
+     g_return_if_fail (handle != NULL);
+ 
+@@ -1012,11 +1014,10 @@
+     else
+         uri = rsvg_get_base_uri_from_filename (base_uri);
+ 
+-    if (uri) {
+-        if (handle->priv->base_uri)
+-            g_free (handle->priv->base_uri);
+-        handle->priv->base_uri = uri;
+-    }
++    file = g_file_new_for_uri (uri ? uri : "data:");
++    rsvg_handle_set_base_gfile (handle, file);
++    g_object_unref (file);
++    g_free (uri);
+ }
+ 
+ /**
+@@ -2146,12 +2147,79 @@
+                          const char *uri,
+                          GError **error)
+ {
+-    RsvgLoadPolicy policy = handle->priv->load_policy;
++    RsvgHandlePrivate *priv = handle->priv;
++    GFile *base;
++    char *path, *dir;
++    char *scheme = NULL, *cpath = NULL, *cdir = NULL;
++    char cpath_buffer[PATH_MAX], cdir_buffer[PATH_MAX];
+ 
+-    if (policy == RSVG_LOAD_POLICY_ALL_PERMISSIVE)
+-        return TRUE;
++    g_assert (handle->priv->load_policy == RSVG_LOAD_POLICY_STRICT);
++
++    scheme = g_uri_parse_scheme (uri);
++
++    /* Not a valid URI */
++    if (scheme == NULL)
++        goto deny;
++
++    /* Allow loads of data: from any location */
++    if (g_str_equal (scheme, "data"))
++        goto allow;
++
++    /* No base to compare to? */
++    if (priv->base_gfile == NULL)
++        goto deny;
++
++    /* Deny loads from differing URI schemes */
++    if (!g_file_has_uri_scheme (priv->base_gfile, scheme))
++        goto deny;
++
++    /* resource: is allowed to load anything from other resources */
++    if (g_str_equal (scheme, "resource"))
++        goto allow;
+ 
++    /* Non-file: isn't allowed to load anything */
++    if (!g_str_equal (scheme, "file"))
++        goto deny;
++
++    base = g_file_get_parent (priv->base_gfile);
++    if (base == NULL)
++        goto deny;
++
++    dir = g_file_get_path (base);
++    g_object_unref (base);
++
++    cdir = realpath (dir,cdir_buffer);
++    g_free (dir);
++    if (cdir == NULL)
++        goto deny;
++
++    path = g_filename_from_uri (uri, NULL, NULL);
++    if (path == NULL)
++        goto deny;
++
++    cpath = realpath (path, cpath_buffer);
++    g_free (path);
++
++    if (cpath == NULL)
++        goto deny;
++
++    /* Now check that @cpath is below @cdir */
++    if (!g_str_has_prefix (cpath, cdir) ||
++        cpath[strlen (cdir)] != G_DIR_SEPARATOR)
++        goto deny;
++
++    /* Allow load! */
++
++ allow:
++    g_free (scheme);
+     return TRUE;
++
++ deny:
++    g_free (scheme);
++
++    g_set_error (error, G_IO_ERROR, G_IO_ERROR_PERMISSION_DENIED,
++                 "File may not link to URI \"%s\"", uri);
++    return FALSE;
+ }
+ 
+ guint8* 
+diff --git a/rsvg-io.c b/rsvg-io.c
+index 3d6c8b5..818d2ec 100644
+--- rsvg-io.c
++++ rsvg-io.c
+@@ -79,7 +79,7 @@ rsvg_acquire_data_data (const char *uri,
+     gboolean base64 = FALSE;
+ 
+     g_assert (out_len != NULL);
+-    g_assert (g_str_has_prefix (uri, "data:"));
++    g_assert (strncmp (uri, "data:", 5) == 0);
+ 
+     mime_type = NULL;
+     start = uri + 5;
+diff --git a/rsvg-private.h b/rsvg-private.h
+index 25283d4..1961eaf 100644
+--- rsvg-private.h
++++ rsvg-private.h
+@@ -123,10 +123,10 @@ struct RsvgSaxHandler {
+ };
+ 
+ typedef enum {
+-    RSVG_LOAD_POLICY_ALL_PERMISSIVE
++    RSVG_LOAD_POLICY_STRICT
+ } RsvgLoadPolicy;
+ 
+-#define RSVG_LOAD_POLICY_DEFAULT (RSVG_LOAD_POLICY_ALL_PERMISSIVE)
++#define RSVG_LOAD_POLICY_DEFAULT (RSVG_LOAD_POLICY_STRICT)
+ 
+ struct RsvgHandlePrivate {
+     RsvgHandleFlags flags;
+--
+cgit v0.9.2

Prev by Date: [pkgsrc/trunk]: pkgsrc/doc Updated mail/cue to 20140217
Next by Date: [pkgsrc/trunk]: pkgsrc/pkgtools/verifypc LICENSE=modified-bsd
Previous by Thread: [pkgsrc/trunk]: pkgsrc/doc Updated mail/cue to 20140217
Next by Thread: [pkgsrc/trunk]: pkgsrc/pkgtools/verifypc LICENSE=modified-bsd
Indexes:

Home | Main Index | Thread Index | Old Index